Skip to content

Commit

Permalink
[TASK] Sanitize embedded HTML in Installation-Wide Configuration GUI
Browse files Browse the repository at this point in the history 
Input data is statically provided by EXT:core only, so there is no
security issue known right now. This change is a preparation to avoid
possible future security issues.

Resolves: #102676
Releases: main, 12.4, 11.5
Change-Id: I49a7fdd250e8ce74fdde07ad305cbae7e4af8ec3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82252
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
  • Loading branch information
@bnf @o-ba
bnf authored and o-ba committed Dec 19, 2023
1 parent d9ab1d2 commit ee5898d
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html
View file
Expand Up @@ -42,7 +42,7 @@ <h3 class="panel-title">
<f:if condition="{f:count(subject: item.allowedValues)} || {item.dataType} == 'dropdown'">
<f:then>
<div class="form-group">
<span class="help-block">{item.description -> f:format.raw()}</span>
<span class="help-block">{item.description -> f:sanitize.html()}</span>
<select data-path="{sectionName}/{item.key}" class="t3-install-form-input-text form-select t3js-localConfiguration-pathValue">
<f:for each="{item.allowedValues}" key="optionKey" as="optionLabel">
<option value="{optionKey}" {f:if(condition: '{item.value} == {optionKey}', then: 'selected="selected"')}>{optionLabel} ({optionKey})</option>
Expand All @@ -63,14 +63,14 @@ <h3 class="panel-title">
/>
<label class="form-check-label" for="{sectionName}_{item.key}">
<span class="form-check-label-text">
{item.description -> f:format.raw()}
{item.description -> f:sanitize.html()}
</span>
</label>
</div>
</f:if>
<f:if condition="{item.type} == 'input'">
<div class="form-group">
<span class="help-block">{item.description -> f:format.raw()}</span>
<span class="help-block">{item.description -> f:sanitize.html()}</span>
<input
type="text"
value="{item.value}"
Expand All @@ -83,7 +83,7 @@ <h3 class="panel-title">

<f:if condition="{item.type} == 'password'">
<div class="form-group">
<span class="help-block">{item.description -> f:format.raw()}</span>
<span class="help-block">{item.description -> f:sanitize.html()}</span>
<input
type="password"
value="{item.value}"
Expand All @@ -96,7 +96,7 @@ <h3 class="panel-title">

<f:if condition="{item.type} == 'number'">
<div class="form-group">
<span class="help-block">{item.description -> f:format.raw()}</span>
<span class="help-block">{item.description -> f:sanitize.html()}</span>
<input
type="number"
value="{item.value}"
Expand All @@ -108,7 +108,7 @@ <h3 class="panel-title">
</f:if>

<f:if condition="{item.type} == 'textarea'">
<span class="help-block">{item.description -> f:format.raw()}</span>
<span class="help-block">{item.description -> f:sanitize.html()}</span>
<div class="form-group">
<textarea
rows="5"
Expand Down

0 comments on commit ee5898d

Please sign in to comment.